CVE-2025-21204 exploit simulation for non-admin users via junction-based path hijack.
https://cyberdom.blog/abusing-the-windows-update-stack-to-gain-system-access-cve-2025-21204/
https://raw.githubusercontent.com/eshlomo1/CloudSec/refs/heads/main/Attacking%20the%20Cloud/CVE-2025-21204/Exploit-CVE2025-UpdateStackLPE-NonAdmin.ps1
https://cyberdom.blog/abusing-the-windows-update-stack-to-gain-system-access-cve-2025-21204/
https://raw.githubusercontent.com/eshlomo1/CloudSec/refs/heads/main/Attacking%20the%20Cloud/CVE-2025-21204/Exploit-CVE2025-UpdateStackLPE-NonAdmin.ps1
CYBERDOM
Abusing the Windows Update Stack to Gain SYSTEM Access (CVE-2025-21204)
The CVE-2025-21204 is precisely that kind of vulnerability. It doesn't require a zero-day exploit or complex memory corruption chain. It doesn't need a phishing campaign or a dropped malware loader. All it takes is: A misused filesystem trust, a writable…
mssql dumper
https://github.com/LTJAXSON/MSSQL---Dumper
https://github.com/LTJAXSON/MSSQL---Dumper
GitHub
GitHub - LTJAXSON/MSSQL---Dumper: mssql_dumper is a powerful NetExec module designed to hunt for sensitive data across Microsoft…
mssql_dumper is a powerful NetExec module designed to hunt for sensitive data across Microsoft SQL Server databases with surgical precision. - LTJAXSON/MSSQL---Dumper
BadSuccessor ports:
Powershell : https://github.com/LuemmelSec/Pentest-Tools-Collection/blob/main/tools/ActiveDirectory/BadSuccessor.ps1
Python: https://github.com/cybrly/badsuccessor
.Net : https://github.com/logangoins/SharpSuccessor
added to
nxc : https://github.com/Pennyw0rth/NetExec
bloodyAD : https://github.com/CravateRouge/bloodyAD
Powershell : https://github.com/LuemmelSec/Pentest-Tools-Collection/blob/main/tools/ActiveDirectory/BadSuccessor.ps1
Python: https://github.com/cybrly/badsuccessor
.Net : https://github.com/logangoins/SharpSuccessor
added to
nxc : https://github.com/Pennyw0rth/NetExec
bloodyAD : https://github.com/CravateRouge/bloodyAD
GitHub
Pentest-Tools-Collection/tools/ActiveDirectory/BadSuccessor.ps1 at main · LuemmelSec/Pentest-Tools-Collection
Contribute to LuemmelSec/Pentest-Tools-Collection development by creating an account on GitHub.
evil-winrm python version
https://github.com/adityatelange/evil-winrm-py
https://github.com/adityatelange/evil-winrm-py
GitHub
GitHub - adityatelange/evil-winrm-py: Execute commands interactively on remote Windows machines using the WinRM protocol
Execute commands interactively on remote Windows machines using the WinRM protocol - adityatelange/evil-winrm-py
Signature Kid is a header only tool that steals a signature from a file and copy it to whathever file you want.
Beyond Stealing, Signature Kid goes a step further by Windows Internal to trick the system to treat the copied signature as valid.
https://github.com/dslee2022/SignatureKid
Beyond Stealing, Signature Kid goes a step further by Windows Internal to trick the system to treat the copied signature as valid.
https://github.com/dslee2022/SignatureKid
GitHub
GitHub - dslee2022/SignatureKid
Contribute to dslee2022/SignatureKid development by creating an account on GitHub.
BaldHead is a modular and interactive Active Directory (AD) attack framework built for red teamers and security testers. It automates enumeration and exploitation of AD misconfigurations
https://github.com/ahmadallobani/BaldHead
https://github.com/ahmadallobani/BaldHead
GitHub
GitHub - ahmadallobani/BaldHead: BaldHead is a modular and interactive Active Directory (AD) attack framework built for red teamers…
BaldHead is a modular and interactive Active Directory (AD) attack framework built for red teamers and security testers. It automates enumeration and exploitation of AD misconfigurations - ahmadall...
Decrypt SCCM and DPAPI secrets with Powershell.
https://github.com/The-Viper-One/Invoke-PowerDPAPI
https://github.com/The-Viper-One/Invoke-PowerDPAPI
GitHub
GitHub - The-Viper-One/Invoke-PowerDPAPI: Decrypt SCCM and DPAPI secrets with Powershell.
Decrypt SCCM and DPAPI secrets with Powershell. . Contribute to The-Viper-One/Invoke-PowerDPAPI development by creating an account on GitHub.
This media is not supported in your browser
VIEW IN TELEGRAM
This is PoC for CVE-2025-48799, an elevation of privilege vulnerability in Windows Update service.
https://github.com/Wh04m1001/CVE-2025-48799
https://github.com/Wh04m1001/CVE-2025-48799
Client-side Encrypted Upload Server Python Script
https://github.com/vysecurity/ExfilServer
https://github.com/vysecurity/ExfilServer
GitHub
GitHub - vysecurity/ExfilServer: Client-side Encrypted Upload Server Python Script
Client-side Encrypted Upload Server Python Script. Contribute to vysecurity/ExfilServer development by creating an account on GitHub.
Critical vulnerability in Windows Server 2025 allows attackers with KDS root key access to generate passwords for all dMSA/gMSA accounts forest-wide. New research reveals design flaw in ManagedPasswordId structure - only 1,024 possible combinations makes brute-force trivial.
https://github.com/Semperis/GoldenDMSA
https://www.semperis.com/blog/golden-dmsa-what-is-dmsa-authentication-bypass/
https://github.com/Semperis/GoldenDMSA
https://www.semperis.com/blog/golden-dmsa-what-is-dmsa-authentication-bypass/
GitHub
GitHub - Semperis/GoldenDMSA: This tool exploits Golden DMSA attack against delegated Managed Service Accounts.
This tool exploits Golden DMSA attack against delegated Managed Service Accounts. - Semperis/GoldenDMSA
CVE-2025-53770 exploit
https://github.com/soltanali0/CVE-2025-53770-Exploit
https://github.com/soltanali0/CVE-2025-53770-Exploit
GitHub
GitHub - soltanali0/CVE-2025-53770-Exploit: SharePoint WebPart Injection Exploit Tool
SharePoint WebPart Injection Exploit Tool. Contribute to soltanali0/CVE-2025-53770-Exploit development by creating an account on GitHub.
PowerShell collector for adding MSSQL attack paths to BloodHound with OpenGraph
https://github.com/SpecterOps/MSSQLHound
https://github.com/SpecterOps/MSSQLHound
GitHub
GitHub - SpecterOps/MSSQLHound: PowerShell collector for adding MSSQL attack paths to BloodHound with OpenGraph
PowerShell collector for adding MSSQL attack paths to BloodHound with OpenGraph - SpecterOps/MSSQLHound
TAP SSH VPN - this will allow you to VPN your machine into the remote TAP device through a reverse SSH tunnel.
https://github.com/trustedsec/tap/blob/master/noscripts/ssh-tunnel.sh
https://github.com/trustedsec/tap/blob/master/noscripts/ssh-tunnel.sh
GitHub
tap/noscripts/ssh-tunnel.sh at master · trustedsec/tap
The TrustedSec Attack Platform is a reliable method for droppers on an infrastructure in order to ensure established connections to an organization. - trustedsec/tap
Your template-based BloodHound terminal companion tool
https://github.com/fin3ss3g0d/cypherhound
https://github.com/fin3ss3g0d/cypherhound
GitHub
GitHub - fin3ss3g0d/cypherhound: Your template-based BloodHound terminal companion tool
Your template-based BloodHound terminal companion tool - fin3ss3g0d/cypherhound
Weaponize DLL hijacking easily. Backdoor any function in any DLL
https://github.com/Print3M/DllShimmer
https://github.com/Print3M/DllShimmer
GitHub
GitHub - Print3M/DllShimmer: Weaponize DLL hijacking easily. Backdoor any function in any DLL.
Weaponize DLL hijacking easily. Backdoor any function in any DLL. - Print3M/DllShimmer
you can call something like NtAllocateVirtualMemoryEx without ever touching ntdll!
https://github.com/whokilleddb/function-collections/blob/main/winapi_alternatives/NtAllocateMemoryEx/main.c
https://github.com/whokilleddb/hoontr
https://github.com/whokilleddb/function-collections/blob/main/winapi_alternatives/NtAllocateMemoryEx/main.c
https://github.com/whokilleddb/hoontr
GitHub
function-collections/winapi_alternatives/NtAllocateMemoryEx/main.c at main · whokilleddb/function-collections
A collection of PoCs to do common things in unconventional ways - whokilleddb/function-collections
Group Policy Objects manipulation and exploitation framework
https://github.com/synacktiv/GroupPolicyBackdoor
https://github.com/synacktiv/GroupPolicyBackdoor
GitHub
GitHub - synacktiv/GroupPolicyBackdoor: Group Policy Objects manipulation and exploitation framework
Group Policy Objects manipulation and exploitation framework - synacktiv/GroupPolicyBackdoor
Named in homage to pwndrop, pwnlift is a simple dotnet server application for uploading files from a desktop without the use of a C2. Useful if you have a console access to a machine and need to take files offline for analysis (such as Code Integrity Policy files).
https://github.com/rasta-mouse/pwnlift
https://github.com/rasta-mouse/pwnlift
GitHub
GitHub - rasta-mouse/pwnlift: Easy peasy file uploads
Easy peasy file uploads. Contribute to rasta-mouse/pwnlift development by creating an account on GitHub.
Comprehensive Windows Syscall Extraction & Analysis Framework
https://github.com/xaitax/NTSleuth
https://github.com/xaitax/NTSleuth
GitHub
GitHub - xaitax/NTSleuth: Comprehensive Windows Syscall Extraction & Analysis Framework
Comprehensive Windows Syscall Extraction & Analysis Framework - xaitax/NTSleuth